It depends on the implementation.
For ultimate security, encrypt with a one-way function. You then encrypt
prior to checking if the login is correct. In this system, a new PWD has to
be generated if the user loses it, as PWDs are not crackable (at least in
theory). I have seen systems that used a one-way hash, but these are not
really one way. PVCS used (may still use) a simple hex generator that threw
off the ASCII code according to a simple algorithm. Rather easy to crack for
anyone with a few minutes of time and an understanding of security. This is
not a good method for a really secure system, but most systems are not
otherwise set up to prevent internal hacking anyway. The hash will stop the
casual looker, while the encrypt will help even more.
NOTE: There are more prudent methods to secure databases, like eliminating
direct table access and forcing access via stored procedures.
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
************************************************
Think Outside the Box!
************************************************
"John" <fa***@facke.null> wrote in message
news:40**********************@news.skynet.be...
Hi all,
What is the best way to store a pwd into a dbase? I guess it is hashing
it. Read a lot regarding this issue to use md5 for it, but can i use AES for
it also? And what is that salt thing doing? And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.
John